spp_ai.h
Go to the documentation of this file.
00001 /* 00002 * ===================================================================================== 00003 * 00004 * Filename: spp_ai.h 00005 * 00006 * Description: Header file for the preprocessor 00007 * 00008 * Version: 1.0 00009 * Created: 30/07/2010 15:47:12 00010 * Revision: none 00011 * Compiler: gcc 00012 * 00013 * Author: BlackLight (http://0x00.ath.cx), <blacklight@autistici.org> 00014 * Licence: GNU GPL v.3 00015 * Company: DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE! 00016 * 00017 * ===================================================================================== 00018 */ 00019 00020 #ifndef _SPP_AI_H 00021 #define _SPP_AI_H 00022 00023 #include "sf_snort_packet.h" 00024 #include "sf_dynamic_preprocessor.h" 00025 #include "uthash.h" 00026 00027 #define PRIVATE static 00028 00030 #define DEFAULT_HASH_CLEANUP_INTERVAL 300 00031 00033 #define DEFAULT_STREAM_EXPIRE_INTERVAL 300 00034 00036 #define DEFAULT_DATABASE_INTERVAL 30 00037 00039 #define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600 00040 00042 #define DEFAULT_ALERT_LOG_FILE "/var/log/snort/alert" 00043 00045 #define DEFAULT_CLUSTER_LOG_FILE "/var/log/snort/cluster_alert" 00046 00047 extern DynamicPreprocessorData _dpd; 00048 typedef unsigned char uint8_t; 00049 typedef unsigned short uint16_t; 00050 typedef unsigned int uint32_t; 00051 00052 typedef enum { false, true } BOOL; 00053 00055 typedef enum { 00056 none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES 00057 } cluster_type; 00058 00060 struct pkt_key 00061 { 00062 uint32_t src_ip; 00063 uint16_t dst_port; 00064 }; 00065 00067 struct pkt_info 00068 { 00070 struct pkt_key key; 00071 00073 time_t timestamp; 00074 00076 SFSnortPacket* pkt; 00077 00079 struct pkt_info* next; 00080 00082 BOOL observed; 00083 00085 UT_hash_handle hh; 00086 }; 00087 00088 /* Data type containing the configuration of the module */ 00089 typedef struct 00090 { 00092 unsigned long hashCleanupInterval; 00093 00095 unsigned long streamExpireInterval; 00096 00098 unsigned long alertClusteringInterval; 00099 00101 unsigned long databaseParsingInterval; 00102 00104 char alertfile[1024]; 00105 00107 char clusterfile[1024]; 00108 00110 char dbname[256]; 00111 00113 char dbuser[256]; 00114 00116 char dbpass[256]; 00117 00119 char dbhost[256]; 00120 } AI_config; 00121 00122 /* Data type for hierarchies used for clustering */ 00123 typedef struct _hierarchy_node 00124 { 00125 cluster_type type; 00126 char label[256]; 00127 int min_val; 00128 int max_val; 00129 int nchildren; 00130 struct _hierarchy_node *parent; 00131 struct _hierarchy_node **children; 00132 } hierarchy_node; 00133 00135 typedef struct _AI_snort_alert { 00136 /* Identifiers of the alert */ 00137 unsigned int gid; 00138 unsigned int sid; 00139 unsigned int rev; 00140 00141 /* Snort priority, description, 00142 * classification and timestamp 00143 * of the alert */ 00144 unsigned short priority; 00145 char *desc; 00146 char *classification; 00147 time_t timestamp; 00148 00149 /* IP header information */ 00150 uint8_t ip_tos; 00151 uint16_t ip_len; 00152 uint16_t ip_id; 00153 uint8_t ip_ttl; 00154 uint8_t ip_proto; 00155 uint32_t ip_src_addr; 00156 uint32_t ip_dst_addr; 00157 00158 /* TCP header information */ 00159 uint16_t tcp_src_port; 00160 uint16_t tcp_dst_port; 00161 uint32_t tcp_seq; 00162 uint32_t tcp_ack; 00163 uint8_t tcp_flags; 00164 uint16_t tcp_window; 00165 uint16_t tcp_len; 00166 00167 /* Reference to the TCP stream 00168 * associated to the alert, if any */ 00169 struct pkt_info *stream; 00170 00171 /* Pointer to the next alert in 00172 * the log, if any*/ 00173 struct _AI_snort_alert *next; 00174 00175 /* Hierarchies for addresses and ports, 00176 * if the clustering algorithm is used */ 00177 hierarchy_node *h_node[CLUSTER_TYPES]; 00178 00179 /* If the clustering algorithm is used, 00180 * we also count how many alerts this 00181 * single alert groups */ 00182 unsigned int grouped_alarms_count; 00183 } AI_snort_alert; 00184 00185 int preg_match ( const char*, char*, char***, int* ); 00186 00187 void* AI_hashcleanup_thread ( void* ); 00188 void* AI_file_alertparser_thread ( void* ); 00189 void* AI_mysql_alertparser_thread ( void* ); 00190 00191 void AI_pkt_enqueue ( SFSnortPacket* ); 00192 void AI_set_stream_observed ( struct pkt_key key ); 00193 void AI_hierarchies_build ( AI_config*, hierarchy_node**, int ); 00194 00195 struct pkt_info* AI_get_stream_by_key ( struct pkt_key ); 00196 00197 AI_snort_alert* AI_get_alerts ( void ); 00198 AI_snort_alert* AI_mysql_get_alerts ( void ); 00199 00200 void AI_free_alerts ( AI_snort_alert *node ); 00201 void AI_mysql_free_alerts ( AI_snort_alert *node ); 00202 00204 AI_snort_alert* (*get_alerts)(void); 00205 00206 #endif /* _SPP_AI_H */ 00207
